Epic Games to pay $520M over COPPA, trick purchase charges

The developer violated the Children’s Online Privacy Protection Act (COPPA) and its related rule by collecting the names, email addresses, and other personal information of underage players without parental consent, the Department of Justice (DOJ) and Federal Trade Commission (FTC) alleged. Epic Games was further cited for violating the FTC Act by implementing default privacy settings that could harm younger players.

Epic Games agreed to pay $275 million in civil penalties as part of its settlement filed Monday in U.S. District Court for the Eastern District of North Carolina. The total is a record for a COPPA violation, the agencies noted.

As part of a separate order filed by the FTC, the developer must pay an additional $245 million in restitution to millions of customers who were duped by its “dark patterns” and billing practices, which allegedly tricked players into purchases they hadn’t intended to make. It is the largest refund amount the FTC has ordered in a gaming case, the agency said.

Calling it a “first-of-its-kind provision,” the FTC said Epic Games must adopt strong privacy settings for younger players, including ensuring voice and text communications are turned off by default.

Fortnite, which has more than 400 million users, is free to download but charges players for in-game purchases. Because of the game’s child-oriented activities and the way Epic Games has marketed it to younger players, Fortnite is considered as being directed to children under age 13, the FTC said in its COPPA complaint.

Epic Games “was aware that many children were playing Fortnite—as shown through surveys of Fortnite users, the licensing and marketing of Fortnite toys and merchandise, player support, and other company communications—and collected personal data from children without first obtaining parents’ verifiable consent,” the FTC said.

The company also failed to delete children’s information after their parents made official requests, the agency said.

Within 30 days, Epic Games must create a privacy program to protect customer information and designate an employee or team to carry out the program. The program must be assessed by a third-party privacy expert. For 10 years, the program must be evaluated annually, including assessing the risk of the unauthorized collection or dissemination of personal information and testing safeguards in place, and results sent to a governing body or senior officer.

The company also must provide annual training for all employees and contractors about complying with the COPPA Rule.

Within 60 days, Epic Games must delete the personal information of all players under 13 years of age unless parents have provided consent for it to be retained. Within 90 days, the developer must show the FTC it has deleted the information and/or obtained the necessary parental consents and the number of accounts affected.

“No developer creates a game with the intention of ending up here,” Epic Games said in a statement posted Monday on its website. “The video game industry is a place of fast-moving innovation, where player expectations are high and new ideas are paramount. Statutes written decades ago don’t specify how gaming ecosystems should operate. The laws have not changed, but their application has evolved and long-standing industry practices are no longer enough.”

Epic Games said it also no longer saves customer payment information by default.

“We’ve agreed with the FTC to change this practice, and we now offer an explicit yes or no choice to save payment information,” the company said.